Police in China are investigating the theft of data from a major hotel group after 130 million customer records were discovered for sale on the shady part of the web called the darknet.

The data pertains to the Chinese hotel group Huazhu Hotels Group Ltd., a Nasdaq-listed company with 3,903 hotels run under a range of its own brands as well as brands franchised from Accor S.A. They include Novotel, Ibis and Mercure, all popular with western visitors.

Discovered by a Chinese tech site and later reported by Bleeping Computer, the stolen data came in at 141.5 gigabytes. The 130 million records included customer names, mobile phone number, email address, ID number (including passport information), login account password, home address, birthdate, credit card number, check-in time, departure time, room number and spending amount.

The last check-in time in the file is Aug. 13, suggesting that the data breach was recent. The person selling the data, on an unnamed dark web site, is said to be demanding a payment of eight bitcoin for the data, equivalent to $56,244 as today’s exchange rate.

Whether the data was hacked, accidentally exposed or stolen by an insider isn’t yet clear. BJNews claimed the data dump came from a company programmer who initially uploaded the internal database to GitHub, but that doesn’t clarify if it was uploaded intentionally or, for that matter, how the data progressed from GitHub to the darknet.

Rod Soto, director of security research at JASK Inc., told SiliconANGLE that although the large number of data records is shocking, this infiltration doesn’t come as a huge surprise.

“The incident is similar in nature to large data leaks we’ve seen in the past where Amazon S3 buckets are left on the open internet without a password,” Soto said. That suggests the information may have been stolen from the GitHub upload, he said.

“Instances like this should hammer home the importance of taking proper security precautions when using any third-party cloud service because if they’re not configured properly, they can and will continue to lead to these types of massive breaches,” Soto added.

Photo: WhisperToMe/Wikimedia Commons